Archive for News

SAN FRANCISCO – Apple on Friday urged iPhone owners to install a security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by malware dealers.

Researchers at the Lookout mobile security firm and Citizen Lab at the University of Toronto said they had uncovered a three-pronged attack targeting the dissident’s phone “that subverts even Apple’s strong security environment.”

Lookout and Citizen Lab worked with Apple on an iOS patch to defend against the attack, called Trident because of its triad of methods, the researchers said in a joint blog post.

“We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” Apple said in a released statement.

Mansoor received text messages on Aug. 10 and 11 promising that secrets about detainees being tortured in United Arab Emirates jails could be accessed by clicking on an enclosed link, researchers said.

Had he fallen for the ruse, the Trident chain of heretofore unknown “zero-day exploits” would have broken into his iPhone and installed snooping software.

Once infected, Mansoor’s iPhone would have been turned into a “spy in his pocket” capable of tracking his whereabouts and conversations, Citizen Lab said.

Mansoor was targeted five years ago with FinFisher spyware and again the following year with Hacking Team spyware, according to Citizen Lab research.

“The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists,” the researchers said.

Although the cyberattack on Mansoor was not linked to a specific government, Citizen Lab said indicators pointed to the UAE.

UAE authorities did not comment on the matter.

Lookout and Citizen believe the spyware has been “in the wild for a significant amount of time.”

“It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android and Blackberry.”

Citizen Lab has also found evidence that “state-sponsored actors” used NSO weapons against a Mexican journalist who reported on high-level corruption in that country and on an unknown target in Kenya.

The NSO tactics included impersonating sites such as the International Committee of the Red Cross, the British government’s visa application processing website and a wide range of news organizations and major technology companies, the researchers said.

Mansoor’s decision to enlist Citizen Lab instead of falling into the trap gave researchers a rare chance to expose the work of “shady cyber arms dealers” who command high prices for morally questionable services, said Lookout’s vice president of security research, Mike Murray.

Invoices posted online have shown that hackers can charge tens of thousands of dollars per target hit with their software.

“The smartphone is a valuable target, and breaking into it is a valuable skill set,” Murray said. “People who can do this, and with wiggle room in their moral code, have realized the business opportunity.”

NSO Group has been around since 2010, and the capture of one of its weapons was billed as a first.

Studying Trident has helped cyberdefenders find ways to spot spyware that had been operating unseen, and they are “actively catching it in the wild now,” Murray said.

He declined to reveal anything about other targets, saying that they were people likely to be under surveillance in other ways by local authorities.

Citizen Lab saw the attack on Mansoor as further evidence that “lawful intercept” spyware has significant abuse potential, and that some governments can’t resist the temptation to use such tools against political opponents, journalists and human rights defenders.

Residents who use Yahoo Mail are being encouraged by the S.C. Department of Consumer Affairs to take action to secure their online accounts following the announcement last month of a massive breach.

During the last two weeks of September, Yahoo announced that at least 500 million user accounts had been compromised.

An investigation by Yahoo following suspicions of an attack in July uncovered a far larger, allegedly state-sponsored attack in recent weeks, according to the Associated Press.

“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the FBI said in a statement last week.

Given the importance most people place on protecting personal information, the Department of Consumer Affairs is encouraging Yahoo Mail users to take action by following several tips, said Megan Stockhausen, communications coordinator with the agency.

• Change the account password and security questions immediately. Use strong, creative passwords (uppercase, lowercase and special characters) and don’t share them with anyone. Also, don’t use the same passwords or security questions for multiple accounts, especially when using an email address as the login name on a site.

• Watch out for phishing attempts, which is defined by asking for personal or sensitive information via a phone call, text or email is a tactic used by scammers. Never reply to texts, pop-ups, or emails that ask for verification of personal information. Avoid clicking on links or downloading attachments from suspicious emails or texts.

Review them carefully and notify the financial institution/provider as soon as an unauthorized or suspicious item is spotted.

• Consider a fraud alert and security freeze. Scammers may use the stolen information to open new accounts.

A fraud alert and security freeze are free security measures for a credit report. A fraud alert tells a business accessing the report to take extra steps to verify that the person holding the account is the one seeking its goods/services.

When a security freeze is in place, no one can access the report without the account holder approving it.

Stockhausen said these tips can help anyone trying to secure any personal online information.

Since 2012, the message board PubPeer has served as a sort of 4chan for science, allowing anyone to post anonymous comments on scientific studies. Originally intended as a forum for the discussion of methods and results, PubPeer has perhaps become best known as a clearinghouse for accusations of scientific error, fraud, and misconduct—forcing journals to issue corrections and retractions, damaging careers, and eventually embroiling the site in a court case in which it’s advised by Edward Snowden’s legal team at the American Civil Liberties Union.

In the view of its critics, PubPeer enables an unchecked stream of accusations with no accountability. But to its supporters, PubPeer is maybe the only consistently effective way to expose fraud and error in the current scientific system. It exists at a time of quiet crisis for science and science journals, when the community is concerned about an inability to replicate past results—the so-called “reproducibility crisis”—and the number of papers retracted is on the rise. The traditional system of peer review seems unable to address these problems.

“We started it because we wanted more detailed arguments about science, and we were really shocked at how many fundamental problems there are with papers, involving very questionable research practices and rather obvious misconduct,” said Brandon Stell, a neuroscientist at the Centre National de la Recherche Scientifique in Paris and the creator of PubPeer.

There’s certainly no denying its effect. According to Retraction Watch, a blog that monitors scientific corrections, errors, and fraud, at least three high-profile scientists in the past few months have had their studies retracted by journals after their data was questioned by anonymous commenters on PubPeer.

The most frightening words a researcher could read on PubPeer are ‘There are concerns’

One of the scientists, Fazlul Sarkar, is currently suing several of the commenters. His lawyers argue the site must reveal the identities of the users that have done damage to Sarkar’s career, after he lost a tenured position at the University of Mississippi. PubPeer has refused to release the information. Both Google and Twitter have filed a court brief in support of the site, which is currently being defended pro-bono by lawyers from the ACLU.

It’s perhaps the most interesting case about internet privacy you’ve never heard of, and it all stems from a frustration among scientists with the shadowy politics of publishing and peer review.

At its base, PubPeer is a site that allows anyone to post comments on any scientific paper listed on the federally-funded PubMed database, either anonymously or under their own name. It’s functionally very simple, but the built-in anonymity makes it a safe outlet for scientists—especially young, early-career scientists—to discuss and criticize research without fear of repercussion. And that’s something they’re apparently eager to do: The site has logged over 55,000 mostly anonymous comments since its launch.

Back in October 2013, someone on the PubPeer site started threads for about 20 previously published papers on which Fazlul Sarkar, a cancer researcher then at Wayne State University in Michigan, was an author. The papers span over a decade and involve a variety of complex molecular signalling pathways involved in cancer. The issues raised by the comments, though, were relatively straightforward: They claimed that images in these studies appeared to have been changed, duplicated, and re-used across papers, suggesting that the experiments they appeared in may have never actually happened, or could have produced different results.

Stell noted that, in an effort to keep the discussion civil (and legal), PubPeer specifically requests that users do not accuse authors outright of misrepresentation or fraud. Comments are moderated in case they break these guidelines, so any discussion of such allegations tends to have a muted tone.

That doesn’t make this group of self-appointed watchdogs any less effective, though. The most frightening words a researcher could read on PubPeer are “There are concerns.”

Discussion over “concerns” surrounding Sarkar’s work expanded rapidly as it became clear the commenters had found a rich vein to mine: According to the NIH funding database and PubMed, Sarkar has received more than $12 million in NIH funding and authored over 500 research papers over his career. The community is nothing if not meticulous—PubPeer commenters have been known to pull up decades-old PhD theses looking for dirt—and a search of the message board shows that eventually 77 papers with Sarkar on the author list were presented for scrutiny. By checking the papers against each other patterns began to emerge; for example, one user claims a single set of images were duplicated up to 54 times in 13 papers, across three years.

There’s been an alarming number of phishing scams identified this year and these emails are getting more clever and realistic than ever.

The latest phishing email you need to keep an eye out for disguises itself as an iTunes email. Much like the Amazon phishing scam we showed you, this email claims that you have been overcharged for a download purchase, $25 for one song, which is usually $1.99 or less, or $45 for the Netflix app.

The email will show you a very official-looking billing statement and will encourage you to click a link that says, “Cancel andx Manage Subscriptions.” But, because you’re a Komando.com reader, you’ll notice the typo in the link and know that’s red flag number one.

Whatever you do, don’t click that link. It could take you to a malicious site that can steal all of your valuable information, then it’s game over.

If you think you really might have been overcharged, check your bank statements first before clicking any links.

Just being in the know about these emails is step one. There are other steps you can take to keep yourself safe from these phishing attempts. If you see an email like this in your inbox:

- Be sure to exercise caution before you click on anything. Hover over any links and see where they direct before you click. If the links provided go to a website, don’t click it. Navigate to the company’s site yourself without the link.

- Take some time and try to spot the typos.

- If you’re not sure that you can spot the signs, click here to take our phishing IQ test to see how many stand out to you.

- Practice multi-level authentication, which means you have at least two forms of verification, such as a password and a security question before you log into any sensitive accounts.

- Another thing is to have an internet security system. We recommend our sponsor Kaspersky Lab. Software from Kaspersky Lab can recognize and block ransomware. Even if it’s a new version or unknown version of a ransomware, Kaspersky Lab can figure out that the program is doing something it shouldn’t. Kaspersky Lab will stop it from running and will roll back any files that were encrypted to a previous non-encrypted version. Of course, Kaspersky Lab software also helps filter out and warn you about phishing scams, so your odds of downloading a ransomware virus are slim. Get this protection, and so much more, with Kaspersky Total Security.

As college students and parents seek assistance to cover the ever-soaring costs of tuition, some have been targeted by scammers offering false promises of scholarships and grants.

“At CPA, we always encourage prospective and current families to apply for as many scholarships as possible in order to receive the maximum amount of free financial help,” said Mary King of College Parents of America. “Free is a key word. Remember to apply more, but give the least amount of information needed, and never pay to win money.”

According to the Federal Trade Commission, unscrupulous companies sometimes approach prospective college students with bogus offers of scholarships, financial aid or consulting services in exchange for an application fee or payment. Some use high-pressure sales pitches at seminars, urging students to pay immediately or risk in losing out on opportunities for aid.

Conducting some online research into the background of a scholarship or consulting company can also help students spot fraudulent or deceptive offers, she said.

Signs that a scholarship offer may be a scam include the presence of application fees, no proof of past winners, no phone number listed, a request for personal financial information and winning a scholarship you didn’t apply for, King said.

There are also companies that claim they have programs that can increase a student’s eligibility for certain scholarships or grants.

Some legitimate companies provide students with lists of scholarships or run students’ profiles through national scholarship databases to find potential scholarships for which they’re eligible. But legitimate companies won’t guarantee scholarships or grants, according to the FTC.

King recommends that students and parents can save money by doing the legwork themselves.

“Avoid companies that state they will do the work for you,” King said. “Scholarships are work. No one else can do it for you. Try to avoid any company that states it will do the work for you.”